Implementing the asymptotically fast version of the elliptic curve primality proving algorithm

Transcription

1 Implementing the asymptotically fast version of the elliptic curve primality proving algorithm François Morain To cite this version: François Morain. Implementing the asymptotically fast version of the elliptic curve primality proving algorithm <hal v1> HAL Id: hal Submitted on 3 Feb 2005 (v1), last revised 4 Feb 2005 (v2) HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

2 IMPLEMENTING THE ASYMPTOTICALLY FAST VERSION OF THE ELLIPTIC CURVE PRIMALITY PROVING ALGORITHM F. MORAIN Abstract. The elliptic curve primality proving (ECPP) algorithm is one of the current fastest practical algorithms for proving the primality of large numbers. Its running time cannot be proven rigorously, but heuristic arguments show that it should run in time Õ((log N)5 ) to prove the primality of N. An asymptotically fast version of it, attributed to J. O. Shallit, runs in time Õ((log N)4 ). The aim of this article is to describe this version in more details, leading to actual implementations able to handle numbers with several thousands of decimal digits. 1. Introduction From the work of Agrawal, Kayal and Saxena [2], we know that determining the primality of an integer N can be done in proven deterministic polynomial time Õ((log N)10.5 ). More recently, H.-W. Lenstra and C. Pomerance have announced a version in Õ((log N)6 ). Building on the work of P. Berrizbeitia [7], D. Bernstein [6] and P. Mihăilescu & R. Mocenigo [31], independently, have given improved probabilistic versions with a claim of proven complexity of Õ((log N) 4 ), reusing classical cyclotomic ideas that originated in the Jacobi sums test [1, 11]. For more on primality before AKS, we refer the reader to [14]. For the recent developments, see [5]. All the known versions of the AKS algorithm are for the time being too slow to prove the primality of large explicit numbers. On the other hand, the elliptic curve primality proving algorithm [3] has been used for years to prove the primality of always larger numbers. The algorithm has a heuristic running time of Õ((log N) 5 ). In the course of writing [33], the author rediscovered the article [28], in which an asymptotically fast version of ECPP is described. This version, attributed to J. O. Shallit, has a heuristic running time of Õ((log N) 4 ). The aim of this paper is to describe fastecpp, give a heuristic analysis of it and describe its implementation. Section 2 collects some well-known facts on imaginary quadratic fields, that can be found for instance in [13]. Section 3 presents the basic ECPP algorithm and analyzes it. In Section 4, the fast version is described and its complexity estimated. Section 5 explains the implementation and Section 6 gives some actual timings on large numbers. 2. Quadratic fields A discriminant D < 0 is said to be fundamental if and only if D is free of odd square prime factors, and moreover D 3 mod 4 or when 4 D, (D/4) mod 4 {1, 2}. The quantity is easily seen to be O(X). D(X) = #{D X, D is fundamental} Date: January 27, Projet TANC, Pôle Commun de Recherche en Informatique du Plateau de Saclay, CNRS, École polytechnique, INRIA, Université Paris-Sud. The author is on leave from the French Department of Defense, Délégation Générale pour l Armement. See the web page of M. Martin, or that of the author 1

3 2 F. MORAIN A fundamental discriminant may be written as: D = where all q i s are distinct and q i is either 4 or ±8, or q i = ( 1/q i )q i for any prime q i. The number of genera is g( D) = 2 t 1 and Gauss proved that this number divides the class number h( D) of K = Q( D). Moreover, Siegel proved that h = O(D 1/2+ε ) asymtotically. The rational prime p is the norm of an integer in K, or equivalently, 4p = U 2 + DV 2 in rational integers U and V if and only if the ideal (p) splits completely in the Hilbert class field of K, denoted K H, an extension of degree h( D) of K. The probability that a prime p splits in K is 1/(2h( D)). Using Gauss s theory of genera of forms, it is known that if ( q i p ) = 1 for all i (equivalently, (p) splits in the genus field of K), then the probability of (p) splitting in K H is g( D)/h( D). t i=1 q i 3. The basic ECPP algorithm We present a rough sketch of the ECPP algorithm, enough for us to estimate its complexity. We do not insist on what happens if one of the steps fails, revealing the compositeness of N. More details can be found in [3] Elliptic curves over Z/NZ. For us, an elliptic curve E modulo N will have an equation Y 2 X 3 + ax + b with gcd(4a b 2, N) = 1 and we will use the set of points E(Z/NZ) defined as: E(Z/NZ) = {(x : y : z) P 2 (Z/NZ), y 2 z x 3 + axz 2 + bz 3 } {O E = (0 : 1 : 0)} which ressembles the definition of an actual elliptic curve if N is prime, P 2 (Z/NZ) being the projective plane over Z/NZ. The important point here is that if p is a divisor of N, we can reduce the curve E and a point P on it via a reduction modulo p of each integer, yielding a point P p on E p. Moreover, we can define an operation on E(Z/N Z), called pseudo-addition, that adds two points P and Q with the usual chord-and-tangent law. This operation either yields a point R or a divisor of N if any is encountered when dividing. If R exists, then it has the property that R p is the sum of P p and Q p on E p for all prime factors p of N. Note also that O E reduces to the ordinary point at infinity on E p. We will need to exponentiate points in E. This is best defined using the division polynomials (see for instance [4] for a lot of properties on these). Remember that over a field K there exist polynomials φ m (X, Y ), ψ m (X, Y ), ω m (X, Y ) such that (1) [m]p = P } + {{ + P } = [m](x, Y ) = ( φ m (X, Y )ψ m (X, Y ) : ω m (X, Y ) : ψm 3 (X, Y )). m times All these polynomials can be computed via recurrence formulas and there is a O(log m) algorithm for this task (a variant of the usual binary method for exponentiating). We will take (1) for the definition of [m]p over Z/NZ. We note here that if ψ m (X, Y ) = 0, then [m]p is equivalent to the point O E. For the sake of presenting the algorithm in a simplified setting, we prove (compare [25]): Proposition 3.1. Let N a prime satisfying ( N 1) 2 2N ( N + 1) 2. Suppose that E(Z/NZ) is a curve over Z/NZ, that P = (x : y : 1) is such that gcd(y, N) = 1, ψ 2N (x, y) = 0 but gcd(ψ N (x, y), N) = 1. Then N is prime.

4 FASTECPP 3 Proof: suppose that N is composite and that p N is one of its prime factors. Let us look at what happens modulo p. By construction, P p is not a 2-torsion point on E p. Since ψ N (x, y) is invertible modulo p, then [N ](P p ) O Ep and therefore P p is of order 2N modulo p. This is impossible, since 2N ( N 1) 2 (p 1) 2 > ( p 1) 2 #E p by Hasse s theorem Presentation of the algorithm. We want to prove that N is prime. The algorithm runs as follows: [Step 1.] Repeat the following: Find an imaginary quadratic field K = Q( D) of discriminant D, D > 0, such that (2) 4N = U 2 + DV 2 in rational integers U and V. For all solutions U of (2), compute m = N + 1 U; if one of these numbers is twice a probable prime N, go to Step 2. [Step 2.] Build an elliptic curve E over Q having complex multiplication by the ring of integers O K of K. [Step 3.] Reduce E modulo N to get a curve E. [Step 4.] Find P = (x : y : 1), gcd(y, N) = 1 on E such that ψ 2N (x, y) = 0, but gcd(ψ N (x, y), N) = 1. If this cannot be done, then N is composite, otherwise, it is prime by Proposition 3.1. [Step 5.] Set N = N and go back to Step Analyzing ECPP. We will now analyze all steps of the above algorithm and give complexity estimates using the parameter L = log N. One basic unit of time will be the time needed to multiply two integers of size L, namely O(L 1+µ ), where 0 µ 1 (µ = 1 for ordinary multiplication, or ɛ > 0 for any fast multiplication method). Clearly, we need log N steps for proving the primality of N. We consider all steps, one at a time, easier steps first Analysis of Step 4. Finding a point P can be done by a simple algorithm that looks for the smallest x such that x 3 + ax + b is a square modulo p and then extracting a squareroot modulo p, for a cost of O((log N) 2+µ ). Note that we can do without this with the trick described in [3, 8.6.3], though we do not need this at this point. Computing ψ N (x, y) costs O((log N) 2+µ ), and we need O(1) points on average, so this steps amounts for O((log N) 2+µ ) Analyzing Step 2. The original version is to realize K H /K via the computation of the minimal polynomial H D (X) of the special values of the classical j-invariant at quadratic integers. More precisely, we can view the class group Cl( D) of K as a set of primitive reduced quadratic forms of discriminant D. If (A, B, C) is such a form, with B 2 4AC = D, then ( H D (X) = X j(( B + ) D)/(2A)). (A,B,C) Cl( D) In [16], it is argued that the height of this polynomial is well approximated by the quantity: π 1 D A, [A,B,C] Cl( D) which can be shown to be O((log h) 2 ). Evaluating the roots of H D (X) and building this polynomial can be done in Õ(h2 ) operations (see [15]). Note that this step does not require computations modulo N.

5 4 F. MORAIN Alternatively, we could use the method of [12, 8] for computing the class polynomial and get a proven running time of Õ(h2 ), but assuming GRH Analyzing Step 3. Reducing E modulo N is done by finding a root of H D (X) modulo N. This can be done with the Cantor-Zassenhaus algorithm (see [22] for instance). Briefly, we split recursively H D (X) by computing gcd((x + a) (N 1)/2 1, H D (X)) mod N for random a s. Computing (X + a) (N 1)/2 mod (N, H D (X)) costs O((log N)M(N, h)) = O(LM(N, h)) where M(N, d) is the time needed to multiply two degree d polynomials modulo N. A gcd of two degree d polynomials costs M(N, d) log d (see [22, Ch. 11]). The total splitting requires log h steps, but the overall cost is dominated by the first one, hence yields a time: O(M(N, h) max(l, log h)). We can assume that M(N, d) = O(d 1+ν L 1+µ ) where again 0 ν Analysis of Step 1. This is the crucial step that will give us the clue to the complexity. Given D, testing whether (2) is satisfied involves the reduction of the ideal (N, r D 2 ) that lies above (N) in K, where r 2 D mod (4N) (if N is prime...). This requires the computation of D mod N, using for instance the Tonelli-Shanks algorithm, for the cost of one modular exponentiation, i.e., a O(L 2+µ ) time. Then it proceeds with a half gcd like computation, for a cost of O(L 1+µ ) (see also section 5.2 below). In the event that equation (2) is solvable, then we need check that m = 2N and test N for primality, which costs again some O(L 2+µ ). The heuristic probability of m being of the given form is O(1/L). Though quite realistic, it is impossible to prove, given the current state of the art in analytical number theory. Using this heuristics, we expect to need O(L) splitting D s. Let us take all discriminants less than D max. They have class number close to h( D max ) = O( D max ) and there are O(D max ) of them. We see that if L = O(D max )/ D max, then among these discriminants, one will lead to a useful m. We conclude that D max = O(L 2 ) should suffice. Turning to complexity, the cost of Step 1 is then that of O(L 2 ) solving of (2), followed by O(L) probable primality tests: O(L 2 ( L}{{ 2+µ } + L}{{ 1+µ } D mod N reduction which is dominated by the first cost, namely O(L 4+µ ). )) + O(L L}{{ 2+µ } ). probable primality 3.8. Adding everything together. Taking D = O(L 2 ) readily implies h = O(L), so that the cost of Step 2 is Õ(L2 ), and that of Step 3 is O((log L)L 3+µ+ν ), which dominates Step 4. All in all, we get that ECPP has heuristic complexity O(L 4+µ ) for one step, and therefore O(L 5+µ ) in totality Remark. In practice, the dominant term of the complexity of Step 1 is O(n D L 2+µ ) where n D is the number of D s for which we try solve equation (2). Depending on implementation parameters and real size of N, this number n D can be quite small. This gives a very small apparent complexity to ECPP, somewhere in between L 3 and L 4 and explains why ECPP seems so fast in practice (see for instance [21]).

6 FASTECPP 5 4. The fast version of ECPP 4.1. Presentation. When dealing with large numbers, all the time is spent in the finding of D, which means that a lot of squareroots modulo N must be computed. A first way to reduce the computations, alluded to in [3, 8.4.3], is to accumulate squareroots, and reuse them, at the cost of some multiplications. For instance, if one has 3 and 5 = 20/ 4, then we can build 15, etc. A better way that leads to the fast version consists in computing a basis of small squareroots and build discriminants from this basis. Looking at the analysis carried out above, we see that we need O(L 2 ) discriminants to find a good one. The basic version finds them by using all discriminants that are of size O(L 2 ). As opposed to this, one can build those discriminants as D = ( p)(q), where p and q are taken from a pool of size O(L) primes. More formally, we replace Step 1. by Step 1. as follows: [Step 1.] 1.1. Find the r = O(L) smallest primes q such that ( q N) = 1, yielding Q = {q 1, q2,..., q r} Compute all q mod N for q Q For all pairs (qi 1, qi 2 ) of Q for which qi 1 qi 2 = D < 0, try to solve equation (2). The cost of this new Step 1 is that of computing r = O(L) squareroots modulo N, for a cost of O(L L 2+µ ). Then, we still have O(L 2 ) reductions. The new overall cost of this phase decreases now to: O(L L}{{ 2+µ } ) + O(L 2 L}{{ 1+µ } squareroots reduction ) + O(L L 2+µ }{{} ) probable primality which yields namely O(L 3+µ ). Note here how the complexity decomposes as 3 = or depending on the sub-algorithms. Putting everything together, we end up with a total cost of O(L 4+µ ) for this variant of ECPP Remarks Complexity issues. We can slightly optimize the preceding argument, by using all subsets of Q and not only pairs of elements. This would call for r = O(log log N), since then 2 r = L 2 could be reached. Though useful in practice, this phase no longer dominates the cost of the algorithm. Moreover, we can see that several phases of fastecpp have cost Õ(L3 ), which means that we would have to fight hard to decrease the overall complexity below Õ(L4 ) A note on discriminants. Note that we use fundamental discriminants only, as non fundamental discriminants lead to curves that do not bring anything new compared to fundamental ones. Indeed, if D = f 2 D, with D fundamental, then there is a curve having CM by the order of discriminant D. Writing 4N = U 2 + Df 2 V 2, its cardinality is N + 1 U, the same as the corresponding curve associated to D A note on class numbers. As soon as we use composite discriminants D of the form q i 1 q i 2, Gauss s theorem tells us that the class number h( D) is even. This could bias our estimation, but we conjecture that the effect is not important.

7 6 F. MORAIN 5. Implementation 5.1. Computing class numbers. In order to make the search for D D efficient, it is better to control the class number beforehand. Tables can be made, but for larger computations, we need a fast way to compute h( D). Subexponential methods exist, assuming the Generalized Riemann Hypothesis. From a practical point of view, our D s are of medium size. Enumerating all forms costs O(h 2 ) with a small constant, and Shanks s baby-steps/giant-steps algorithm costs O( h) but with a large constant. It is better here to use the explicit formula of Louboutin [29] that yields a practical method in O(h) with a very small constant An improved Cornacchia algorithm. Step 1 needs squareroots to be computed, and some half gcd to be performed. Briefly, Cornacchia s algorithm runs as follows (see [34]): procedure Cornacchia(d, p, t) {t is such that t 2 d mod p, p/2 < t < p } a) r 2 = p, r 1 = t ; w 2 = 0, w 1 = 1; b) for i 0 while r i 1 > p do r i 2 = a i r i 1 + r i, 0 r i < r i 1 ; w i = w i 2 + a i w i 1 ( ) ; c) if r 2 i 1 + dw2 i 1 = p then return (r i 1, w i 1 ) else return. We end the for loop once we get r i 1 p < r i 2. As is well known, the a i s are quite small and we can guess their size by monitoring the number of bits of the r i s, thus limiting the number of long divisions. One can use a fast variant for this half gcd if needed, in a way reminiscent of Knuth. Moreover, from the theory, we know that this algorithms almost always returns that the empty set in step 2c), since the probability of success if 1/(2h( d)). Therefore, when h is large, we can dispense of the multiprecision computations in equation ( ). We replace it by single precision computations: w i = w i 2 + a i w i 1 mod 2 32 and at the end, we test whether r 2 i 1 + dw2 i 1 = p mod 232. If this is the case, then we redo the computation of the w i s and check again Factoring m. Critical parameters are that related to the factorization of m, since in practice we try to factor m to get it of the form cn for some B-smooth number c. As shown in [20], the number of probable prime tests we will have to perform is t = O((log N)/(log B)) and we will end up with N such that N/N log B. For small numbers, we can factor lots of m doing the following. In a first step, we compute r i = (N + 1) mod p i for all p i B s, which costs π(b)(log N) 1+ε, where π(b) = O(B/ log B) is the number of primes below B and the other term being the time needed to divide a multi-digit number by a single digit number. Then, sieving both m = N + 1 U and m = N U is done by computing u i = U mod p i and comparing it to ±r i for primes p i such that ( D/p i ) 1. See [3, 32] for more details and tricks. The cost of this algorithm for t values of m is O(π(B)(log N) 1+ε ) + O(t π(b)(log N) 1+ε )

8 FASTECPP 7 where the second term is that for computing U mod p i, which is slightly half that of (N +1) mod p i, since U is O( N). Since we need to perform also t probable prime tests (say, a plain Fermat one), then the cost is O(tBL) + O(tL 2+µ ) = O(BL 2 ) + O(L 3+µ ) and therefore the optimal value for B is B = O(L). For larger numbers, it is better to use the stripping factor algorithm in [20], for a cost of O(B(log B) 2 ), the optimal value of B being B = O((log N) 3 ) Remark. Suppose now that we have found N and that m = N + 1 U = cn. Then we will have to compute which may be computed as: r i = (N + 1) mod p i r i = (r i u i )/c + 1 mod p i. Computing the right hand side is faster, since c is ordinarily small compared to N Using an early abort strategy. This idea is presented in [20]. We would like to go down as fast as possible. So why not impose N/N greater than some given bound? Candidates N need be tested for probable primality only if this bound is met. From what has been written above, we can insist on N/N log B. In practice, we used a bound δ and used N/N 2 δ Using new invariants. Proving larger and larger numbers forces us to use larger and larger D s, leading to larger and larger polynomials H D. For this to be doable, new invariants had to be used, so as to minimize the size of the minimal polynomials. This task was done using Schertz s formulation of Shimura s reciprocity law [35], with the invariants of [18] as demonstrated in [16] (alternatively see [24, 23]). Note that replacing j by other functions does not the change the complexity of the algorithm, though it is crucial in practice Step 3 in practice. We already noted that this step is the theoretically dominating one in fastecpp, with a cost of O((log L)L 3+µ+ν ). In practice, even for small values of h, we can assume ν 0 (using for instance the algorithm of [30] for polynomial multiplication). Galois theory comes in handy for reducing the log L term to a log log L one, if we insist on h being smooth. Then, we replace the time needed to factor a degree h polynomial by a list of smaller ones, the largest prime factor of h being log h. We already used that in ECPP, using [27, 17]. Typical values of h are now routinely in the zone. It could be argued that keeping only smooth class numbers is too restrictive. Note however, that class numbers tend to be smoother than ordinary numbers [10] Improving the program. The new implementation uses GMP for the basic arithmetic, which enables one to use mpfr [26] and mpc [19], thus leading to a complete program that can compute polynomial H D s on the fly, contrary to the author s implementation of ECPP, prior to version This turned out to be the key for the new-born program to compete with the old one.

9 8 F. MORAIN 5.4. fastecpp. We give here the expanded algorithm corresponding to step 1. Using a smoothness bound B, we need approximately t = exp( γ) log N/ log B values of m and therefore roughly t/2 discriminants. The probability that D is a splitting discriminant is g( D)/h( D). Therefore we build discriminants until g( D)/h( D) t/2. D One way of building these discriminants is the following: we let r increase and build all or some of the subsets of {q1,..., q r } until the expected number of D s is reached. After this, we sort the discriminants with respect to (h( D)/g( D), h( D), D) and treat them in this order. 6. Benchmarks First of all, it should be noted that ECPP is not a well defined algorithm, as long as one does not give the list of discriminants that are used, or the principles that generate them. Since the first phase of ECPP requires a tree search, testing on a single number does not reveal too much. Averaging on more than 20 numbers is a good idea. Our current implementation uses GMP for the basic arithmetic, which enables one to use mpfr [26] and mpc [19], thus leading to a complete program that can compute polynomial H D s on the fly, contrary to the author s implementation of ECPP, prior to version This turned out to be the key for the new-born program to compete with the old one. We give below some timings obtained with this implementation, after a lot of trials. We used as prime candidates the first twenty primes of 1000, 1500, and 2000 decimal digits. Critical parameters are as follows: we used D 10 7, h 1000, δ = 12 (see section 5.3.2). For 1000 and 1500 decimal digits, we limited the largest prime factor of h to be 30 and for 2000 dd, it was put to 100. This parameter has an influence in Step 3. For the extraction of small prime factors (used in the algorithm described in [20] and denoted EXTRACT in the sequel), we used B = , 10 7, for the three respective sizes. SQRT refers to the computation of the qi, CORN to Cornacchia, PRP to probable primality tests; HD is the time for computing polynomials H D using the techniques described in [16], jmod the time to solve it modulo p; then 1st refers to the building phase (step 1), 2nd to the other ones; total is the total time, check the time to verify the certificate. Follow some data concering D, h and the size of the certificates (in kbytes). All timings are cumulated CPU time on an AMD Athlon running at 2.4GHz. Looking at the average total time, we see that it follows very closely the O((log N) 4 ) prediction. Note also that the dominant time is that of the PRP tests, and that all phases have time close to what was predicted. 7. Conclusions We have described in greater details the fast version of ECPP. We have demonstrated its efficiency. As for ECPP, it is obvious that the computations can be distributed over a network of computers. We refer the reader to [20] for more details. Note that the current record of decimal digits (with the number see transaction in the NMBRTHRY mailing list), was settled using this approach. Many more numbers were proven prime using either the

10 FASTECPP 9 min max avg std SQRT CORN EXTRACT PRP HD jmod st nd total check nsteps certif D h Table decimal digits min max avg std SQRT CORN EXTRACT PRP HD jmod st nd total check nsteps certif D h Table decimal digits monoprocessor version or the distributed one, most of them from the tables of numbers of the form x y + y x made by P. Leyland. Cheng [9] has suggested to use ECPP to help his improvement of the AKS algorithm, forcing m = cn to have N 1 divisible by a given prime large prime of size O((log N) 2 ). The same idea can be used to speed up the Jacobi sums algorithm, and this will be detailed elsewhere. Acknowledgments. The author wants to thank N. Bourbaki for making him dive once again in the field of primality proving and D. Bernstein for stimulating s on the existence and analysis of fastecpp. My co-authors of [20] were a source of stimulation through their records. Thanks also to P. Gaudry for never ending discussions on how close we are to infinity, as far as fast

11 10 F. MORAIN min max avg std SQRT CORN EXTRACT PRP HD jmod st nd total check nsteps certif D h Table decimal digits algorithms are concerned. D. Stehlé and P. Zimmermann for useful discussions around Cornacchia and fast sieving. Thanks to A. Enge for his help in improving the exposition, and to D. Bernardi for his remarks that helped clarify the exposition. References [1] L. M. Adleman, C. Pomerance, and R. S. Rumely. On distinguishing prime numbers from composite numbers. Ann. of Math. (2), 117: , [2] M. Agrawal, N. Kayal, and N. Saxena. PRIMES is in P. Preprint; available at August [3] A. O. L. Atkin and F. Morain. Elliptic curves and primality proving. Math. Comp., 61(203):29 68, July [4] M. Ayad. Points S-entiers des courbes elliptiques. Manuscripta Math., 76(3-4): , [5] D. Bernstein. Proving primality after Agrawal-Kayal-Saxena. January [6] D. Bernstein. Proving primality in essentially quartic expected time. January [7] P. Berrizbeitia. Sharpening Primes is in P for a large family of numbers. November [8] R. Bröker and P. Stevenhagen. Elliptic curves with a given number of points. In D. Buell, editor, Algorithmic Number Theory, volume 3076 of Lecture Notes in Comput. Sci., pages Springer-Verlag, th International Symposium, ANTS-VI, Burlington, VT, USA, June 2004, Proceedings. [9] Q. Cheng. Primality proving via one round in ECPP and one iteration in AKS. In D. Boneh, editor, Advances in Cryptology CRYPTO 2003, volume 2729 of Lecture Notes in Comput. Sci., pages Springer Verlag, [10] H. Cohen and H. W. Lenstra, Jr. Heuristics on class groups of number fields. In H. Jager, editor, Number Theory, Noordwijkerhout 1983, volume 1068 of Lecture Notes in Math., pages Springer-Verlag, Proc. of the Journées Arithmétiques 1983, July [11] H. Cohen and H. W. Lenstra, Jr. Primality testing and Jacobi sums. Math. Comp., 42(165): , [12] J.-M. Couveignes and T. Henocq. Action of modular correspondences around CM points. In C. Fieker and D. R. Kohel, editors, Algorihmic Number Theory, volume 2369 of Lecture Notes in Comput. Sci., pages Springer-Verlag, th International Symposium, ANTS-V, Sydney, Australia, July 2002, Proceedings. [13] D. A. Cox. Primes of the form x 2 + ny 2. John Wiley & Sons, [14] R. Crandall and C. Pomerance. Prime numbers A Computational Perspective. Springer Verlag, [15] A. Enge. The complexity of class polynomial computations via floating point approximations. Preprint, February 2004.

12 FASTECPP 11 [16] A. Enge and F. Morain. Comparing invariants for class fields of imaginary quadratic fields. In C. Fieker and D. R. Kohel, editors, Algorithmic Number Theory, volume 2369 of Lecture Notes in Comput. Sci., pages Springer-Verlag, th International Symposium, ANTS-V, Sydney, Australia, July 2002, Proceedings. [17] A. Enge and F. Morain. Fast decomposition of polynomials with known Galois group. In M. Fossorier, T. Høholdt, and A. Poli, editors, Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, volume 2643 of Lecture Notes in Comput. Sci., pages Springer-Verlag, th International Symposium, AAECC-15, Toulouse, France, May 2003, Proceedings. [18] A. Enge and R. Schertz. Modular curves of composite level. Soumis, [19] A. Enge and P. Zimmermann. mpc a library for multiprecision complex arithmetic with exact rounding, Version 0.4.1, available from [20] J. Franke, T. Kleinjung, F. Morain, and T. Wirth. Proving the primality of very large numbers with fastecpp. In D. Buell, editor, Algorithmic Number Theory, volume 3076 of Lecture Notes in Comput. Sci., pages Springer-Verlag, th International Symposium, ANTS-VI, Burlington, VT, USA, June 2004, Proceedings. [21] W. F. Galway. Analytic computation of the prime-counting function. PhD thesis, University of Urbana- Champaign, galway/phd Thesis/. [22] J. von zur Gathen and J. Gerhard. Modern Computer Algebra. Cambridge University Press, [23] A. Gee. Class invariants by Shimura s reciprocity law. J. Théor. Nombres Bordeaux, 11:45 72, [24] A. Gee and P. Stevenhagen. Generating class fields using Shimura reciprocity. In J. P. Buhler, editor, Algorithmic Number Theory, volume 1423 of Lecture Notes in Comput. Sci., pages Springer-Verlag, Third International Symposium, ANTS-III, Portland, Oregon, june 1998, Proceedings. [25] S. Goldwasser and J. Kilian. Primality testing using elliptic curves. Journal of the ACM, 46(4): , July [26] G. Hanrot, V. Lefèvre, and P. Zimmermann et. al. mpfr a library for multiple-precision floating-point computations with exact rounding, Version contained in gmp. Available from [27] G. Hanrot and F. Morain. Solvability by radicals from an algorithmic point of view. In B. Mourrain, editor, Symbolic and algebraic computation, pages ACM, Proceedings ISSAC 2001, London, Ontario. [28] A. K. Lenstra and H. W. Lenstra, Jr. Algorithms in number theory. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume A: Algorithms and Complexity, chapter 12, pages North Holland, [29] Stéphane Louboutin. Computation of class numbers of quadratic number fields. Math. Comp., 71(240): (electronic), [30] P. Mihăilescu. Fast convolutions meet Montgomery. Preprint, March [31] P. Mihăilescu and R. Avanzi. Efficient quasi-deterministic primality test improving AKS. Available from April [32] F. Morain. Primality proving using elliptic curves: an update. In J. P. Buhler, editor, Algorithmic Number Theory, volume 1423 of Lecture Notes in Comput. Sci., pages Springer-Verlag, Third International Symposium, ANTS-III, Portland, Oregon, june 1998, Proceedings. [33] F. Morain. La primalité en temps polynomial [d après Adleman, Huang ; Agrawal, Kayal, Saxena]. Astérisque, pages Exp. No. 917, ix, , Séminaire Bourbaki. Vol. 2002/2003. [34] A. Nitaj. L algorithme de Cornacchia. Exposition. Math., 13: , [35] R. Schertz. Weber s class invariants revisited. J. Théor. Nombres Bordeaux, 14: , (F. Morain) LIX École Polytechnique, CNRS/UMR 7161, INRIA/Futurs, F Palaiseau CEDEX, FRANCE address, F. Morain: morain@lix.polytechnique.fr